OASIS Web Services Security (WSS) TC

As a result of the recent progress in the TC, and to address any confusion about our intellectual property in
general, ContentGuard is making the following IP declaration to the WSS TC.

ContentGuard believes that practicing solely the latest WSS TC Core specification and Token Profile
specifications for Username, X.509, Kerberos, SAML, XrML, and XCBF, as of 11/13/03, in and of themselves, does not
require a license of the currently issued ContentGuard patents. In addition, practicing solely the latest WSS TC
Interop specifications for Interop1, Interop2, SAML, and XrML as of 11/13/03, in and of themselves, does not
require a license of the currently issued ContentGuard patents.

ContentGuard is the owner of a broad portfolio of patents that cover inventions around Digital Rights Management
systems and applications. There may be systems or applications making use of WSS TC Core, Token Profile, or Interop
specifications that do infringe our patents. Any potential infringement is not affected by the use of a particular
type of security token.

ContentGuard is committed to the success of this forthcoming standard. In those instances where systems or
applications do infringe our issued patents and those systems or applications comply with WSS TC specifications, as
standardized by OASIS, ContentGuard will negotiate licenses covering such systems or applications on reasonable and
non-discriminatory terms and conditions.

RSA Security is the owner of a number of patents dealing with authentication in client / server protocols. RSA
Security believes that these patents are relevant to practicing certain operational modes of the OASIS Security
Assertion Markup Language ("SAML") specifications including the SAML Browser/Post Profile. A royalty free license
was extended to implementers of the SAML specification. The details of this license may be found at:

Two of the relevant patents are U.S. Patent Nos. 6,085,320 and 6,189,098 "Client/Server Protocol for Proving
Authenticity". The general idea described is where a client obtains a signed authentication assertion from an
authority and then passes that signed assertion over an encrypted channel to a verifier (relying party) who, after
validating the assertion, accepts it as proof of authentication of that user.

Two additional U.S. patents could also be relevant. These patents, U.S. Patent Nos. 5,922,074 and 6,249,873,
both entitled "Method of and Apparatus for Providing Secure Distributed Directory Services and Public Key
Infrastructure" were issued to Xcert Software, Inc., which was acquired by RSA Security in 2001. All four patents
identified in this letter are covered by the license available to implementers of the SAML specification.

On review, RSA believes that the same four patents may be applicable to the use of signed security tokens such
as SAML assertions or XrML licenses within WSS security headers. Our intention is to provide similar notice to
OASIS of the applicable patents and to offer a royalty free license to cover WSS implementers under similar license
criteria.

The URL for the US Patent and Trademark Office http://www.uspto.gov can be
used to look up the appropriate patents by number for anyone interested in the details.

As called for, this note is to advise OASIS that Microsoft believes it has pending patent application(s) that
include claims that are necessary to implement the Web Services Security contribution submitted on June 26, 2002,
to the WS-Security Technical Committee ("Contribution"). Microsoft will update this statement if and when such
pending patent application(s) issue.

If an OASIS Standard incorporating this Contribution is adopted by OASIS pursuant to the WS-Security Technical
Committee Charter at the time the Contribution was submitted, Microsoft will grant, for the limited purposes of
implementing and complying with the required portions of the resulting OASIS Standard, a ROYALTY-FREE, worldwide,
non-sublicenseable, non-transferable, license to any such Necessary Claims to implement the Contribution under
reasonable and non-discriminatory terms and conditions, provided a reciprocal patent license is granted to
Microsoft and other implementers of the OASIS Standard.

I am not a lawyer so direct any questions regarding this communication to:

In regards to the initial published draft of the WS-Security specification developed by IBM, Microsoft, and
VeriSign (each an "Author"). The Authors hereby contribute this draft to the OASIS Web Services Security Technical
Committee (WSSTC). In addition to the rights and representations provided for in the OASIS Policy on Intellectual
Property Rights, the Authors make the following grants and commitments:

1. Each Author grants permission to OASIS and OASIS members the right to copy, display, perform, modify and
distribute the Web Services Security ("WS-Security") draft specification and to authorize others to do the
foregoing, in any medium without fee or royalty, for the purpose of further developing the WS-Security
specification in the WSSTC as set forth in the draft WSS TC charter.

2. Each Author commits to grant a non sub-licenseable, non-transferable license to third parties, under
royalty-free and other reasonable and non-discriminatory terms and conditions, to certain of their respective
patent claims that such Author deems necessary to implement required portokions of the WS-Security specification,
provided a reciprocal license is granted.

3. DISCLAIMERS:

THE WS-SECURITY SPECIFICATION IS PROVIDED "AS IS," AND THE AUTHORS MAKE NO REPRESENTATIONS OR WARRANTIES,
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
NON-INFRINGEMENT, OR TITLE; THAT THE CONTENTS OF THE WS-SECURITY SPECIFICATION ARE SUITABLE FOR ANY PURPOSE; NOR
THAT THE IMPLEMENTATION OF SUCH CONTENTS WILL NOT INFRINGE ANY THIRD PARTY PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER
RIGHTS. THE AUTHORS WILL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES
ARISING OUT OF ANY USE OF THE WS-SECURITY SPECIFICATION OR THE PERFORMANCE OR IMPLEMENTATION OF THE CONTENTS
THEREOF. No other rights are granted by implication, estoppel or otherwise.